Mind the threat management gap

In Leigh Bradford's view, the end of Microsoft's Forefront threat management gateway poses a challenge for customers

Microsoft has pledged to support current Forefront threat management gateway customers until the end of 2015 and potentially until 2020. Yet the move – which surprised many customers and resellers – does present some challenges and questions.

Formerly known as Microsoft Internet Security and Acceleration Server (ISA Server), Forefront has been key for many organisations deploying Exchange, Lync or SharePoint.

It offers customers a way to publish and protect workload servers such as Exchange Client Access Servers, especially in internet-facing deployments where a clean and secure separation between the back-end critical infrastructure and the public internet is essential.

It was relatively easy to deploy, and had reverse-proxy functionality – essential when you have a demilitarised zone (DMZ) to vet incoming internet connections before passing traffic to servers hidden by an internal network.

Microsoft's decision to stop selling Forefront is part of a bigger picture which includes its plan to integrate more security controls into the cloud with its Office 365 and also introduce its Unified Access Gateway (UAG) product.

UAG can be up to twice as expensive. Depending on where in the world the customer is based, the cost of transition could be high. And for applications such as Exchange, there are some functionality gaps, such as two-factor authentication for ActiveSync devices or certificate-based authentication for other things.

It also does not as yet support some Lync functionality and would be overkill if used for only this purpose.

So what should resellers do?

Many already sell hardware load-balancing appliances alongside Forefront to publish Microsoft workload servers for internet-facing apps.

This separates critical infrastructure from the external internet. Such load balancers can stop traffic at the gate and make sure users are automatically connected to the best-performing server.

If one becomes inaccessible, the load balancer will automatically reroute traffic to other functioning servers to optimise performance. Load balancers may also offload processor-intensive SSL encryption to increase throughput.

Some vendors are now extending their load-balancing platforms with new security features, addressing the reverse proxy gap, for example.

This may include end-point pre-authentication to protect workload servers from unauthorised access and single sign-on across virtual services. A client accessing Exchange may also be able to access SharePoint and other workloads if they are configured in one particular group.

Businesses use many internet-facing applications these days.

Leigh Bradford is UK sales manager at Kemp Technologies